Protecting IIoT with a New Approach to Cyber Defense

Measure, monitor and monetize has long been a mantra for any industry or corporation that wants to be successful with its products or services. This capability is finally ubiquitous thanks to technology being powerful enough and cost effective enough to measure and track everything, from a smart football to complex Industrial systems. The Internet of Things (IoT) has arrived for consumers, and it is geared to measure and monitor everything in our daily lives.

The equivalent capability for business has been coined the Industrial Internet of Things (IIoT), originally named by General Electric as the Industrial Internet in 2012 and quickly adopted by large corporations across the globe, including notables like Siemens, Honeywell, Rockwell, and Intel. The IIoT is transformational - industrial production utilizing IIoT is driving the fully connected enterprise. Today, both worlds, known as Operations Technology (OT) and Information Technology (IT) respectively, have yet to fully come together. The notable organization in the IIoT space is the Industrial Internet Consortium.

What We Don’t Know about IIoT

Can we avoid some obvious and yet well-known issues we’ve all been through with new technology? IIoT embedded devices of varying capabilities are vulnerable to security exploits and hardware and software failures. They need maintenance, care, and feeding of different sorts, and can be major problems if we are not careful. These endpoints are susceptible to becoming bricks, not just due to security vulnerabilities, but also due to a lack of long term planning for the IIoT device lifecycle.

The risks of the IIoT should be considered far greater when looking at critical infrastructure and Industrial Control Systems (ICS) of manufacturers, power grids, water systems, city infrastructures and nuclear plants. No one wants to see us fail to protect these critical systems and fail to take the necessary precautions to eliminate any level of risk where possible. We now have constant cyber-attacks probing and clear attempts at weaponizing software to attack the core infrastructure of countries and companies, along with attempts to destabilize geopolitical arenas. We have seen malware like WannaCry, Mirai and multiple aberrations of them that found their way into baby cameras and video systems and turned them into attack vehicles to shut down or flood the Internet.

At the root of these recent problems has been our global desire to create an open Internet of interconnected devices connecting everything and everyone. This acceleration and adoption of technology has been prolific, but there are also negative consequences, such as hackers that find a weakness in these systems and proceed to expose those for nefarious reasons. There is also the simple fact that the “S” in IoT was not part of many vendor’s alphabet. Pushing out devices with clear security issues could be considered unlawful.

What we need to consider for IIoT

The critical IIoT systems in play are subject to the same potential compromises as we have seen already with IoT. Every IIoT device should be rigorously tested to new industry standards. In particular, these critical devices should be strictly controlled on the data and control planes. The networks they are connected to cannot be open, and indeed government recommendations from NIST IoT and well-known security pundits like Bruce Schneier validate this. There is also the Internet of Things Cybersecurity Improvement Act of 2017 and new Securing IoT legislation coming to bear that is trying to use the FCC as a vehicle of control.

Further, IIoT devices should not be clone-able and should contain unique Identities. Using IP or MAC addresses for identity with our existing network security infrastructure is not sufficient for securing the IIoT. The emerging Physically Unclonable Functions (PUF) in hardware are needed. With this comes the ability to use PUF identity to enable devices to be strictly controlled from a network connectivity perspective, determining what ingress or egress traffic can be initiated to or from these network endpoints. This eliminates the need to use network addresses for security policy.

Deterministic and controlled network connectivity is critical to protecting IIoT devices and systems. The keying and crypto methods should be fluid enough to allow rapid change when known compromises are found or detected. We have seen enough emergency fixes in this area, so updating software in place on these embedded platforms must be handled seamlessly without loss of service. Picture all the traffic lights in London going out or rolling power blackouts due to an IIoT software upgrade!

Solution for Enabling IIoT Security

There are solutions for these core network security requirements, leveraging identity for software-based micro-segmentation. With these in place, ingress, egress and network access is fully controlled and the attack surface is greatly reduced. Network devices are cloaked, and there is no ability for zero day or DDoS attacks because the IIoT devices are simply not reachable.

The typical reconnaissance phase in the cyber kill chain, as depicted by Lockheed Martin, is prevented. Read the benefits of our solutions here.

What’s Next for IIoT Security

There is ongoing collaborative work around securing IIoT and the utility grid. One such effort is led by the Cyber-Physical Systems Security and Resilience R&D Center at the DoE National Renewable Energy Lab to provide cybersecurity and resilience. This work proposes A Layered Solution to Cybersecurity, a well thought out cybersecurity architecture that takes into consideration many of these IIoT security concerns and leverages technologies like BlackRidge for in-line blocking as part of the solution to protect critical infrastructure.

The full version of the article, written by Rob Hubbard, can be accessed here. Rob joined BlackRidge in 2017 to drive network security partnerships and solutions. He was previously with CarbonHelix where he drove their SIEM as a service business with IBM. Rob is a networking and security industry veteran with experience building products, solutions and alliances for Cisco and Juniper Networks.